On-demand network security system

ABSTRACT

An on-demand virtual security system between a client and a server in communication with a network, the system including an orchestrator, wherein upon receiving a service request from at least one of the client and the server, the orchestrator instantiates a security virtual function within the network and supplies the security virtual function with at least one connectivity policy, and wherein the security virtual function applies the at least one connectivity policy to approve or disapprove a connection between the client and the server and wherein upon the security virtual function approving the connection between the client and the server, a orchestrator establishes a data session; and wherein after the data session has concluded, the orchestrator terminates the security virtual function.

TECHNICAL FIELD

This disclosure relates generally to network management and, morespecifically, to an on-demand network security system. Moreparticularly, the disclosure relates to a system that provisions pernetwork session or per virtual network function, a network securityvirtual function to enforce dynamic firewall rules, single packetauthorization or a software defined perimeter. Most particularly, thedisclosure relates to an on-demand network security system thatdeactivates the network security virtual function after it has appliedthe provisioned security function against a network session.

BACKGROUND

Communication networks have migrated from using specialized networkingequipment executing on dedicated hardware, like routers, firewalls, andgateways, to software defined networks (SDNs) executing as virtualizednetwork functions (VNF) in a cloud infrastructure. To provide a service,a set of VNFs may be instantiated on the general purpose hardware. EachVNF may require one or more virtual machines (VMs) to be instantiated.In turn, VMs may require various resources, such as memory, virtualcomputer processing units (vCPUs), and network interfaces or networkinterface cards (NICs). Determining how to assign these resources amongVMs in an efficient manner may be unbearably complex.

At the same, time security of such VNFs, VMs and sessions becomesincreasingly important. Currently, network security controls relyheavily on predefined static firewall rules. With the proliferation ofvirtual functions and virtual machines, the static firewall lacks theflexibility and bandwidth to efficiently moderate security. Thisdisclosure is directed to solving one or more of the problems in theexisting technology.

SUMMARY

According to an example, the disclosure generally provides an on-demandvirtual security system between a client and a server in communicationwith a network, the system including an orchestrator, wherein uponreceiving a service request from at least one of the client and theserver, the orchestrator instantiates a security virtual function withinthe network and supplies the security virtual function with at least oneconnectivity policy, and wherein the security virtual function appliesthe at least one connectivity policy to approve or disapprove aconnection between the client and the server and wherein upon thesecurity virtual function approving the connection between the clientand the server, a orchestrator establishes a data session; and whereinafter the data session has concluded, the orchestrator terminates thesecurity virtual function.

Still another example provides a network device comprising a processor,an input/output device coupled to the processor, and a memory coupledwith the processor, the memory comprising executable instructions thatwhen executed by the processor cause the processor to effectuateoperations comprising: instantiating a security virtual function inresponse to instantiation of one of a network session and a virtualnetwork function; the security virtual function configured to apply atleast one connection policy to allow or deny traffic in a data session;after the data session, the security virtual function is terminated.

BRIEF DESCRIPTION OF THE DRAWINGS

In the following description, for purposes of explanation, numerousspecific details are set forth in order to provide an understanding ofthe variations in implementing the disclosed technology. However, theinstant disclosure may take many different forms and should not beconstrued as limited to the examples set forth herein. Where practical,like numbers refer to like elements throughout.

FIG. 1A is a representation of an exemplary network.

FIG. 1B is a representation of an exemplary hardware platform.

FIG. 2 is a representation of an on-demand network security systemaccording to an example.

FIG. 2A is a flow diagram for an on-demand network security systemaccording to an example.

FIG. 3 is a representation of a network device according to an example.

FIG. 4 depicts an exemplary communication system that provides wirelesstelecommunication services over wireless communication networks that maybe at least partially implemented as an SDN.

FIG. 5 depicts an exemplary diagrammatic representation of a machine inthe form of a computer system.

FIG. 6 is a representation of a telecommunications network.

FIG. 7 is a representation of a core network.

FIG. 8 is a representation packet-based mobile cellular networkenvironment.

FIG. 9 is a representation of a GPRS network.

FIG. 10 is a representation a PLMN architecture.

DETAILED DESCRIPTION

FIG. 1A is a representation of an exemplary network 100. Network 100 maycomprise a software defined network or SDN—that is, network 100 mayinclude one or more virtualized functions implemented on general purposehardware, such as in lieu of having dedicated hardware for every networkfunction. That is, general purpose hardware of network 100 may beconfigured to run virtual network elements to support communicationservices, such as mobility services, including consumer services andenterprise services. These services may be provided or measured insessions.

A virtual network function(s) (VNF) 102 may be able to support a limitednumber of sessions. Each VNF 102 may have a VNF type that indicates itsfunctionality or role. For example, FIG. 1A illustrates a gateway VNF102 a and a policy and charging rules function (PCRF) VNF 102 b.Additionally or alternatively, VNFs 102 may include other types of VNFs.Each VNF 102 may use one or more virtual machine (VM) 104 to operate.Each VM 104 may have a VM type that indicates its functionality or role.For example, FIG. 1a illustrates a management control module (MCM) VM104 a and an advanced services module (ASM) VM 104 b. Additionally oralternatively, VM 104 may include other types of VMs. Each VM 104 mayconsume various network resources from a hardware platform 106, such asa resource 108, a virtual central processing unit (vCPU) 108 a, memory108 b, or a network interface card (NIC) 108 c. Additionally oralternatively, hardware platform 106 may include other types ofresources 108.

While FIG. 1A illustrates resources 108 as collectively contained inhardware platform 106, the configuration of hardware platform 106 mayisolate, for example, certain memory 108 c from other memory 108 a. FIG.1b provides an exemplary implementation of hardware platform 106.

Hardware platform 106 may comprise one or more chasses 110. Chassis 110may refer to the physical housing or platform for multiple servers orother network equipment. In an aspect, chassis 110 may also refer to theunderlying network equipment. Chassis 110 may include one or moreservers 112. Server 112 may comprise general purpose computer hardwareor a computer. In an aspect, chassis 110 may comprise a metal rack, andservers 112 of chassis 110 may comprise blade servers that arephysically mounted in or on chassis 110.

Each server 112 may include one or more network resources 108, asillustrated. Servers 112 may be communicatively coupled together in anycombination or arrangement. For example, all servers 112 within a givenchassis 110 may be communicatively coupled. As another example, servers112 in different chasses 110 may be communicatively coupled.Additionally or alternatively, chasses 110 may be communicativelycoupled together in any combination or arrangement.

The characteristics of each chassis 110 and each server 112 may differ.For example, FIG. 1B illustrates that the number of servers 112 withintwo chasses 110 may vary. Additionally or alternatively, the type ornumber of resources 110 within each server 112 may vary. In an aspect,chassis 110 may be used to group servers 112 with the same resourcecharacteristics. In another aspect, servers 112 within the same chassis110 may have different resource characteristics.

Given hardware platform 106, the number of sessions that may beinstantiated may vary depending upon how efficiently resources 108 areassigned to different VMs 104. For example, assignment of VMs 104 toparticular resources 108 may be constrained by one or more rules. Forexample, a first rule may require that resources 108 assigned to aparticular VM 104 be on the same server 112 or set of servers 112. Forexample, if VM 104 uses eight vCPUs 108 a, 1 GB of memory 108 b, and 2NICs 108 c, the rules may require that all of these resources 108 besourced from the same server 112. Additionally or alternatively, VM 104may require splitting resources 108 among multiple servers 112, but suchsplitting may need to conform to certain restrictions. For example,resources 108 for VM 104 may be able to be split between two servers112. Default rules may apply. For example, a default rule may requirethat all resources 108 for a given VM 104 must come from the same server112.

With the rapid growth and adoption of network function virtualization(NFV) and software defined networks (SDN) in telecommunicationindustries, network security is an increasing concern. The proliferationand ease at which additional virtualized functions or network devicesmay be rolled out requires greater responsiveness and flexibility inperforming network security functions including but not limited toapplying connection policies, such as, firewall policies, single packetauthorization requests, software defined network perimeters, and thelike.

With reference to FIG. 2, an on-demand network security system isgenerally indicated by the number 200. System 200 may include a firstservice classifier 220, a service function forwarder 225, a singlepacket authorization service virtual function 230, an orchestrator 240,and a second service classifier 255. These components reside on asoftware defined network N depicted schematically in FIG. 2. Eachcomponent may be a network device, as described more completely below,and instantiated as a virtual function. According to the example, uponreceiving a connection request, system 200 instantiates a securityvirtual function 250 to apply connectivity protocols on demand. Once theconnectivity protocols are applied to permit or deny a connection,security virtual function 250 is terminated. It will be understood withthe proliferation of virtual functions and vendor resources for which aservice connection is required, the ability to create a security virtualfunction 250 on demand and remove it once it has performed itsoperation, makes network N more efficient by only provisioning theresource for a limited time.

In the example, a client host 205 and server 210 reside outside of theperimeter P of network N. Client 205 may communicate with network N viaan access router 216, and server 210 may communicate via an aggregationrouter 260 that provides a gateway to network for one or more serviceproviders. Within the perimeter P of network N, a first serviceclassifier 220 may communicate with access router 216 and a secondservice classifier 255 may communicate with aggregation router 260. Thefirst service classifier 220 and second service classifier 255 mayinterchangeably act as an ingress service classifier and an egressservice classifier depending on the data flow between client and server.In the example shown, a client 205 initiates a request for service suchthat first service classifier 220 acts as the ingress service classifierand second service classifier, which communicates with the server 210,acts as the egress service classifier. Return data flow occurs in thereverse direction. This example should not be considered limiting.

A service connection between client 205 and server 210 is preceded witha request to create a network session or access a virtual function.According to one example, request R may include a single packetauthorization (SPA) request (solid arrow) transmitted via an accessrouter 216. This SPA request is classified by ingress service classifier220 and routed by the service function forwarder (SFF) 225 to the SPAservice function 230. Once validated by the SPA service function 230 atV, the service function chain orchestration layer 240 applies theappropriate network policy and dynamically orchestrates (at O) the atleast one security virtual function instances 250. Security virtualfunction 250 is configured to perform a security service, and may forexample act as a virtual firewall. Service function orchestration layer240 updates (at U) the SFF 225 and ingress/egress service classifiers,220 and 255 respectively, for the subsequent data connection.

The subsequent data connection D (dashed arrow) from the client 205 toserver 210 is classified by the ingress classification 220, routed bythe SFF 225 through the dynamically allocated firewall SF 250. Thefirewall SF 250 applies connection specific policies, allows or deniestraffic. Allowed traffic is forwarded by the SFF 225, through the egressservice classifier 255, the aggregation router 260, ultimately to theservicing host 210. Service response traffic follows the reverse path.

At conclusion of the data session, the dynamic firewall SF 250 isterminated and the service function orchestration layer 240 updates thepolicies on the SFF 225 and service classifier components 220,255.

With reference to FIG. 2A, operations of system 200 are schematicallydepicted. A connection requests is received at step 261. Request may beinitially be received at an ingress router as described above, andclassify by ingress service classifier at 262. In the embodimentdepicted in FIG. 2, the request is passed through service functionforwarder to an SPA function at 263. According to an optional example,rather than employing a dedicated SPA component, system 200 mayinstantiate a security function that includes an on demand SPA servicefunction at 263A. In either example, the request must be validated bySPA function before a connection between client and server isestablished at 264. Once single packet authorization is complete, theon-demand SPA may be terminated.

Upon successful SPA, a control plane report to orchestrator is made at265. Orchestrator instantiates virtual security function at 266 to applyconnectivity polices at 267. In one example, at 267, security functionoperates as a virtual firewall. As schematically indicated at 268, ifthe connectivity policy is not successfully passed, a connection isdenied at 269. If the connectivity policy is successfully passed at 268,orchestrator updates SFF and the ingress and egress classifiers at 270.With this update, SFF forwards allowed traffic at 271 to egressclassifier, which passes the allowed traffic to aggregation router at273. Aggregation router in turn sends allowed traffic to serviceprovider at 274 to establish at data session between client and serviceprovider at 275. At conclusion of the data session, generally indicatedat 280, orchestrator terminates dynamic firewall security function 250at 282 and updates the policies on the SFF 225 and service classifiercomponents 220,255 at 283.

System 200 may be implemented in a network device and instantiated asone or more virtual functions. FIG. 3 illustrates a functional blockdiagram depicting one example of a network device, generally indicatedat 300. Network device 300 may comprise a processor 302 and a memory 304coupled to processor 302. Memory 304 may contain executable instructionsthat, when executed by processor 302, cause processor 302 to effectuateoperations associated with translating parallel protocols between endpoints in families as described above. As evident from the descriptionherein, network device 300 is not to be construed as software per se.

In addition to processor 302 and memory 304, network device 300 mayinclude an input/output system 306. Processor 302, memory 304, andinput/output system 306 may be coupled together to allow communicationsbetween them. Each portion of network device 300 may comprise circuitryfor performing functions associated with each respective portion. Thus,each portion may comprise hardware, or a combination of hardware andsoftware. Accordingly, each portion of network device 300 is not to beconstrued as software per se. Input/output system 306 may be capable ofreceiving or providing information from or to a communications device orother network entities configured for telecommunications. For exampleinput/output system 306 may include a wireless communications (e.g.,3G/4G/GPS) card. Input/output system 306 may be capable of receiving orsending video information, audio information, control information, imageinformation, data, or any combination thereof. Input/output system 306may be capable of transferring information with network device 300. Invarious configurations, input/output system 306 may receive or provideinformation via any appropriate means, such as, for example, opticalmeans (e.g., infrared), electromagnetic means (e.g., RF, Wi-Fi,Bluetooth®, ZigBee®), acoustic means (e.g., speaker, microphone,ultrasonic receiver, ultrasonic transmitter), electrical means, or acombination thereof. In an example configuration, input/output system306 may comprise a Wi-Fi finder, a two-way GPS chipset or equivalent, orthe like, or a combination thereof. Bluetooth, infrared, NFC, and Zigbeeare generally considered short range (e.g., few centimeters to 20meters). WiFi is considered medium range (e.g., approximately 100meters).

Input/output system 306 of network device 300 also may contain acommunication connection 308 that allows network device 300 tocommunicate with other devices, network entities, or the like.Communication connection 308 may comprise communication media.Communication media typically embody computer-readable instructions,data structures, program modules or other data in a modulated datasignal such as a carrier wave or other transport mechanism and includesany information delivery media. By way of example, and not limitation,communication media may include wired media such as a wired network ordirect-wired connection, or wireless media such as acoustic, RF,infrared, or other wireless media. The term computer-readable media asused herein includes both storage media and communication media.Input/output system 306 also may include an input device 310 such askeyboard, mouse, pen, voice input device, or touch input device.Input/output system 306 may also include an output device 312, such as adisplay, speakers, or a printer.

Processor 302 may be capable of performing functions associated withtelecommunications, such as security functions, as described herein. Forexample, processor 302 may be capable of, in conjunction with any otherportion of network device 300, acting as an on demand security virtualfunction applying connectivity policies as described herein. Accordingto one example, processor 302 performs functions to form a virtualfirewall.

Memory 304 of network device 300 may comprise a storage medium having aconcrete, tangible, physical structure. As is known, a signal does nothave a concrete, tangible, physical structure. Memory 304, as well asany computer-readable storage medium described herein, is not to beconstrued as a signal. Memory 304, as well as any computer-readablestorage medium described herein, is not to be construed as a transientsignal. Memory 304, as well as any computer-readable storage mediumdescribed herein, is not to be construed as a propagating signal. Memory304, as well as any computer-readable storage medium described herein,is to be construed as an article of manufacture.

Memory 304 may store any information utilized in conjunction withtelecommunications. Depending upon the exact configuration or type ofprocessor, memory 304 may include a volatile storage 314 (such as sometypes of RAM), a nonvolatile storage 316 (such as ROM, flash memory), ora combination thereof. Memory 304 may include additional storage (e.g.,a removable storage 318 or a non-removable storage 320) including, forexample, tape, flash memory, smart cards, CD-ROM, DVD, or other opticalstorage, magnetic cassettes, magnetic tape, magnetic disk storage orother magnetic storage devices, USB-compatible memory, or any othermedium that can be used to store information and that can be accessed bynetwork device 300. Memory 304 may comprise executable instructionsthat, when executed by processor 302, cause processor 302 to effectuateoperations to instantiate a security virtual function on demand asdescribed above.

FIG. 4 illustrates a functional block diagram depicting one example ofan LTE-EPS network architecture 400 that may be at least partiallyimplemented as an SDN. Network architecture 400 disclosed herein isreferred to as a modified LTE-EPS architecture 400 to distinguish itfrom a traditional LTE-EPS architecture.

An example modified LTE-EPS architecture 400 is based at least in parton standards developed by the 3rd Generation Partnership Project (3GPP),with information available at www.3gpp.org. LTE-EPS network architecture400 may include an access network 402, a core network 404, e.g., an EPCor Common BackBone (CBB) and one or more external networks 406,sometimes referred to as PDN or peer entities. Different externalnetworks 406 can be distinguished from each other by a respectivenetwork identifier, e.g., a label according to DNS naming conventionsdescribing an access point to the PDN. Such labels can be referred to asAccess Point Names (APN). External networks 406 can include one or moretrusted and non-trusted external networks such as an internet protocol(IP) network 408, an IP multimedia subsystem (IMS) network 410, andother networks 412, such as a service network, a corporate network, orthe like. In an aspect, access network 402, core network 404, orexternal network 405 may include or communicate with network 100.

Access network 402 can include an LTE network architecture sometimesreferred to as Evolved Universal mobile Telecommunication systemTerrestrial Radio Access (E UTRA) and evolved UMTS Terrestrial RadioAccess Network (E-UTRAN). Broadly, access network 402 can include one ormore communication devices, commonly referred to as UE 414, and one ormore wireless access nodes, or base stations 416 a, 416 b. Duringnetwork operations, at least one base station 416 communicates directlywith UE 414. Base station 416 can be an evolved Node B (e-NodeB), withwhich UE 414 communicates over the air and wirelessly. UEs 414 caninclude, without limitation, wireless devices, e.g., satellitecommunication systems, portable digital assistants (PDAs), laptopcomputers, tablet devices and other mobile devices (e.g., cellulartelephones, smart appliances, and so on). UEs 414 can connect to eNBs416 when UE 414 is within range according to a corresponding wirelesscommunication technology.

UE 414 generally runs one or more applications that engage in a transferof packets between UE 414 and one or more external networks 406. Suchpacket transfers can include one of downlink packet transfers fromexternal network 406 to UE 414, uplink packet transfers from UE 414 toexternal network 406 or combinations of uplink and downlink packettransfers. Applications can include, without limitation, web browsing,VoIP, streaming media and the like. Each application can pose differentQuality of Service (QoS) requirements on a respective packet transfer.Different packet transfers can be served by different bearers withincore network 404, e.g., according to parameters, such as the QoS.

Core network 404 uses a concept of bearers, e.g., EPS bearers, to routepackets, e.g., IP traffic, between a particular gateway in core network404 and UE 414. A bearer refers generally to an IP packet flow with adefined QoS between the particular gateway and UE 414. Access network402, e.g., E UTRAN, and core network 404 together set up and releasebearers as required by the various applications. Bearers can beclassified in at least two different categories: (i) minimum guaranteedbit rate bearers, e.g., for applications, such as VoIP; and (ii)non-guaranteed bit rate bearers that do not require guarantee bit rate,e.g., for applications, such as web browsing.

In one embodiment, the core network 404 includes various networkentities, such as MME 418, SGW 420, Home Subscriber Server (HSS) 422,Policy and Charging Rules Function (PCRF) 424 and PGW 426. In oneembodiment, MME 418 comprises a control node performing a controlsignaling between various equipment and devices in access network 402and core network 404. The protocols running between UE 414 and corenetwork 404 are generally known as Non-Access Stratum (NAS) protocols.

For illustration purposes only, the terms MME 418, SGW 420, HSS 422 andPGW 426, and so on, can be server devices, but may be referred to in thesubject disclosure without the word “server.” It is also understood thatany form of such servers can operate in a device, system, component, orother form of centralized or distributed hardware and software. It isfurther noted that these terms and other terms such as bearer pathsand/or interfaces are terms that can include features, methodologies,and/or fields that may be described in whole or in part by standardsbodies such as the 3GPP. It is further noted that some or allembodiments of the subject disclosure may in whole or in part modify,supplement, or otherwise supersede final or proposed standards publishedand promulgated by 3GPP.

According to traditional implementations of LTE-EPS architectures, SGW420 routes and forwards all user data packets. SGW 420 also acts as amobility anchor for user plane operation during handovers between basestations, e.g., during a handover from first eNB 416 a to second eNB 416b as may be the result of UE 414 moving from one area of coverage, e.g.,cell, to another. SGW 420 can also terminate a downlink data path, e.g.,from external network 406 to UE 414 in an idle state, and trigger apaging operation when downlink data arrives for UE 414. SGW 420 can alsobe configured to manage and store a context for UE 414, e.g., includingone or more of parameters of the IP bearer service and network internalrouting information. In addition, SGW 420 can perform administrativefunctions, e.g., in a visited network, such as collecting informationfor charging (e.g., the volume of data sent to or received from theuser), and/or replicate user traffic, e.g., to support a lawfulinterception. SGW 420 also serves as the mobility anchor forinterworking with other 3GPP technologies such as universal mobiletelecommunication system (UMTS).

At any given time, UE 414 is generally in one of three different states:detached, idle, or active. The detached state is typically a transitorystate in which UE 414 is powered on but is engaged in a process ofsearching and registering with network 402. In the active state, UE 414is registered with access network 402 and has established a wirelessconnection, e.g., radio resource control (RRC) connection, with eNB 416.Whether UE 414 is in an active state can depend on the state of a packetdata session, and whether there is an active packet data session. In theidle state, UE 414 is generally in a power conservation state in whichUE 414 typically does not communicate packets. When UE 414 is idle, SGW420 can terminate a downlink data path, e.g., from one peer entity 406,and triggers paging of UE 414 when data arrives for UE 414. If UE 414responds to the page, SGW 420 can forward the IP packet to eNB 416 a.

HSS 422 can manage subscription-related information for a user of UE414. For example, tHSS 422 can store information such as authorizationof the user, security requirements for the user, quality of service(QoS) requirements for the user, etc. HSS 422 can also hold informationabout external networks 406 to which the user can connect, e.g., in theform of an APN of external networks 406. For example, MME 418 cancommunicate with HSS 422 to determine if UE 414 is authorized toestablish a call, e.g., a voice over IP (VoIP) call before the call isestablished.

PCRF 424 can perform QoS management functions and policy control. PCRF424 is responsible for policy control decision-making, as well as forcontrolling the flow-based charging functionalities in a policy controlenforcement function (PCEF), which resides in PGW 426. PCRF 424 providesthe QoS authorization, e.g., QoS class identifier and bit rates thatdecide how a certain data flow will be treated in the PCEF and ensuresthat this is in accordance with the user's subscription profile.

PGW 426 can provide connectivity between the UE 414 and one or more ofthe external networks 406. In illustrative network architecture 400, PGW426 can be responsible for IP address allocation for UE 414, as well asone or more of QoS enforcement and flow-based charging, e.g., accordingto rules from the PCRF 424. PGW 426 is also typically responsible forfiltering downlink user IP packets into the different QoS-based bearers.In at least some embodiments, such filtering can be performed based ontraffic flow templates. PGW 426 can also perform QoS enforcement, e.g.,for guaranteed bit rate bearers. PGW 426 also serves as a mobilityanchor for interworking with non-3GPP technologies such as CDMA2000.

Within access network 402 and core network 404 there may be variousbearer paths/interfaces, e.g., represented by solid lines 428 and 430.Some of the bearer paths can be referred to by a specific label. Forexample, solid line 428 can be considered an S1-U bearer and solid line432 can be considered an S5/S8 bearer according to LTE-EPS architecturestandards. Without limitation, reference to various interfaces, such asS1, X2, S5, S8, S11 refer to EPS interfaces. In some instances, suchinterface designations are combined with a suffix, e.g., a “U” or a “C”to signify whether the interface relates to a “User plane” or a “Controlplane.” In addition, the core network 404 can include various signalingbearer paths/interfaces, e.g., control plane paths/interfacesrepresented by dashed lines 430, 434, 436, and 438. Some of thesignaling bearer paths may be referred to by a specific label. Forexample, dashed line 430 can be considered as an S1-MME signalingbearer, dashed line 434 can be considered as an S11 signaling bearer anddashed line 436 can be considered as an S6a signaling bearer, e.g.,according to LTE-EPS architecture standards. The above bearer paths andsignaling bearer paths are only illustrated as examples and it should benoted that additional bearer paths and signaling bearer paths may existthat are not illustrated.

Also shown is a novel user plane path/interface, referred to as theS1-U+ interface 466. In the illustrative example, the S1-U+ user planeinterface extends between the eNB 416 a and PGW 426. Notably, S1-U+path/interface does not include SGW 420, a node that is otherwiseinstrumental in configuring and/or managing packet forwarding betweeneNB 416 a and one or more external networks 406 by way of PGW 426. Asdisclosed herein, the S1-U+ path/interface facilitates autonomouslearning of peer transport layer addresses by one or more of the networknodes to facilitate a self-configuring of the packet forwarding path. Inparticular, such self-configuring can be accomplished during handoversin most scenarios so as to reduce any extra signaling load on the S/PGWs420, 426 due to excessive handover events.

In some embodiments, PGW 426 is coupled to storage device 440, shown inphantom. Storage device 440 can be integral to one of the network nodes,such as PGW 426, for example, in the form of internal memory and/or diskdrive. It is understood that storage device 440 can include registerssuitable for storing address values. Alternatively or in addition,storage device 440 can be separate from PGW 426, for example, as anexternal hard drive, a flash drive, and/or network storage.

Storage device 440 selectively stores one or more values relevant to theforwarding of packet data. For example, storage device 440 can storeidentities and/or addresses of network entities, such as any of networknodes 418, 420, 422, 424, and 426, eNBs 416 and/or UE 414. In theillustrative example, storage device 440 includes a first storagelocation 442 and a second storage location 444. First storage location442 can be dedicated to storing a Currently Used Downlink address value442. Likewise, second storage location 444 can be dedicated to storing aDefault Downlink Forwarding address value 444. PGW 426 can read and/orwrite values into either of storage locations 442, 444, for example,managing Currently Used Downlink Forwarding address value 442 andDefault Downlink Forwarding address value 444 as disclosed herein.

In some embodiments, the Default Downlink Forwarding address for eachEPS bearer is the SGW S5-U address for each EPS Bearer. The CurrentlyUsed Downlink Forwarding address” for each EPS bearer in PGW 426 can beset every time when PGW 426 receives an uplink packet, e.g., a GTP-Uuplink packet, with a new source address for a corresponding EPS bearer.When UE 414 is in an idle state, the “Current Used Downlink Forwardingaddress” field for each EPS bearer of UE 414 can be set to a “null” orother suitable value.

In some embodiments, the Default Downlink Forwarding address is onlyupdated when PGW 426 receives a new SGW S5-U address in a predeterminedmessage or messages. For example, the Default Downlink Forwardingaddress is only updated when PGW 426 receives one of a Create SessionRequest, Modify Bearer Request and Create Bearer Response messages fromSGW 420.

As values 442, 444 can be maintained and otherwise manipulated on a perbearer basis, it is understood that the storage locations can take theform of tables, spreadsheets, lists, and/or other data structuresgenerally well understood and suitable for maintaining and/or otherwisemanipulate forwarding addresses on a per bearer basis.

It should be noted that access network 402 and core network 404 areillustrated in a simplified block diagram in FIG. 4. In other words,either or both of access network 402 and the core network 404 caninclude additional network elements that are not shown, such as variousrouters, switches and controllers. In addition, although FIG. 4illustrates only a single one of each of the various network elements,it should be noted that access network 402 and core network 404 caninclude any number of the various network elements. For example, corenetwork 404 can include a pool (i.e., more than one) of MMEs 418, SGWs420 or PGWs 426.

In the illustrative example, data traversing a network path between UE414, eNB 416 a, SGW 420, PGW 426 and external network 406 may beconsidered to constitute data transferred according to an end-to-end IPservice. However, for the present disclosure, to properly performestablishment management in LTE-EPS network architecture 400, the corenetwork, data bearer portion of the end-to-end IP service is analyzed.

An establishment may be defined herein as a connection set up requestbetween any two elements within LTE-EPS network architecture 400. Theconnection set up request may be for user data or for signaling. Afailed establishment may be defined as a connection set up request thatwas unsuccessful. A successful establishment may be defined as aconnection set up request that was successful.

In one embodiment, a data bearer portion comprises a first portion(e.g., a data radio bearer 446) between UE 414 and eNB 416 a, a secondportion (e.g., an S1 data bearer 428) between eNB 416 a and SGW 420, anda third portion (e.g., an S5/S8 bearer 432) between SGW 420 and PGW 426.Various signaling bearer portions are also illustrated in FIG. 4. Forexample, a first signaling portion (e.g., a signaling radio bearer 448)between UE 414 and eNB 416 a, and a second signaling portion (e.g., S1signaling bearer 430) between eNB 416 a and MME 418.

In at least some embodiments, the data bearer can include tunneling,e.g., IP tunneling, by which data packets can be forwarded in anencapsulated manner, between tunnel endpoints. Tunnels, or tunnelconnections can be identified in one or more nodes of network 100, e.g.,by one or more of tunnel endpoint identifiers, an IP address and a userdatagram protocol port number. Within a particular tunnel connection,payloads, e.g., packet data, which may or may not include protocolrelated information, are forwarded between tunnel endpoints.

An example of first tunnel solution 450 includes a first tunnel 452 abetween two tunnel endpoints 454 a and 456 a, and a second tunnel 452 bbetween two tunnel endpoints 454 b and 456 b. In the illustrativeexample, first tunnel 452 a is established between eNB 416 a and SGW420. Accordingly, first tunnel 452 a includes a first tunnel endpoint454 a corresponding to an S1-U address of eNB 416 a (referred to hereinas the eNB S1-U address), and second tunnel endpoint 456 a correspondingto an S1-U address of SGW 420 (referred to herein as the SGW S1-Uaddress). Likewise, second tunnel 452 b includes first tunnel endpoint454 b corresponding to an S5-U address of SGW 420 (referred to herein asthe SGW S5-U address), and second tunnel endpoint 456 b corresponding toan S5-U address of PGW 426 (referred to herein as the PGW S5-U address).

In at least some embodiments, first tunnel solution 450 is referred toas a two tunnel solution, e.g., according to the GPRS Tunneling ProtocolUser Plane (GTPv1-U based), as described in 3GPP specification TS29.281, incorporated herein in its entirety. It is understood that oneor more tunnels are permitted between each set of tunnel end points. Forexample, each subscriber can have one or more tunnels, e.g., one foreach PDP context that they have active, as well as possibly havingseparate tunnels for specific connections with different quality ofservice requirements, and so on.

An example of second tunnel solution 458 includes a single or directtunnel 460 between tunnel endpoints 462 and 464. In the illustrativeexample, direct tunnel 460 is established between eNB 416 a and PGW 426,without subjecting packet transfers to processing related to SGW 420.Accordingly, direct tunnel 460 includes first tunnel endpoint 462corresponding to the eNB S1-U address, and second tunnel endpoint 464corresponding to the PGW S5-U address. Packet data received at eitherend can be encapsulated into a payload and directed to the correspondingaddress of the other end of the tunnel. Such direct tunneling avoidsprocessing, e.g., by SGW 420 that would otherwise relay packets betweenthe same two endpoints, e.g., according to a protocol, such as the GTP-Uprotocol.

In some scenarios, direct tunneling solution 458 can forward user planedata packets between eNB 416 a and PGW 426, by way of SGW 420. That is,SGW 420 can serve a relay function, by relaying packets between twotunnel endpoints 416 a, 426. In other scenarios, direct tunnelingsolution 458 can forward user data packets between eNB 416 a and PGW426, by way of the S1 U+ interface, thereby bypassing SGW 420.

Generally, UE 414 can have one or more bearers at any one time. Thenumber and types of bearers can depend on applications, defaultrequirements, and so on. It is understood that the techniques disclosedherein, including the configuration, management and use of varioustunnel solutions 450, 458, can be applied to the bearers on anindividual bases. That is, if user data packets of one bearer, say abearer associated with a VoIP service of UE 414, then the forwarding ofall packets of that bearer are handled in a similar manner. Continuingwith this example, the same UE 414 can have another bearer associatedwith it through the same eNB 416 a. This other bearer, for example, canbe associated with a relatively low rate data session forwarding userdata packets through core network 404 simultaneously with the firstbearer. Likewise, the user data packets of the other bearer are alsohandled in a similar manner, without necessarily following a forwardingpath or solution of the first bearer. Thus, one of the bearers may beforwarded through direct tunnel 458; whereas, another one of the bearersmay be forwarded through a two-tunnel solution 450.

FIG. 5 depicts an exemplary diagrammatic representation of a machine inthe form of a computer system 500 within which a set of instructions,when executed, may cause the machine to perform any one or more of themethods described above. One or more instances of the machine canoperate, for example, as processor 302, UE 414, eNB 416, MME 418, SGW420, HSS 422, PCRF 424, PGW 426 and other devices of FIGS. 1, 2, and 4.In some embodiments, the machine may be connected (e.g., using a network502) to other machines. In a networked deployment, the machine mayoperate in the capacity of a server or a client user machine in aserver-client user network environment, or as a peer machine in apeer-to-peer (or distributed) network environment.

The machine may comprise a server computer, a client user computer, apersonal computer (PC), a tablet, a smart phone, a laptop computer, adesktop computer, a control system, a network router, switch or bridge,or any machine capable of executing a set of instructions (sequential orotherwise) that specify actions to be taken by that machine. It will beunderstood that a communication device of the subject disclosureincludes broadly any electronic device that provides voice, video ordata communication. Further, while a single machine is illustrated, theterm “machine” shall also be taken to include any collection of machinesthat individually or jointly execute a set (or multiple sets) ofinstructions to perform any one or more of the methods discussed herein.

Computer system 500 may include a processor (or controller) 504 (e.g., acentral processing unit (CPU)), a graphics processing unit (GPU, orboth), a main memory 506 and a static memory 508, which communicate witheach other via a bus 510. The computer system 500 may further include adisplay unit 512 (e.g., a liquid crystal display (LCD), a flat panel, ora solid state display). Computer system 500 may include an input device514 (e.g., a keyboard), a cursor control device 516 (e.g., a mouse), adisk drive unit 518, a signal generation device 520 (e.g., a speaker orremote control) and a network interface device 522. In distributedenvironments, the embodiments described in the subject disclosure can beadapted to utilize multiple display units 512 controlled by two or morecomputer systems 500. In this configuration, presentations described bythe subject disclosure may in part be shown in a first of display units512, while the remaining portion is presented in a second of displayunits 512.

The disk drive unit 518 may include a tangible computer-readable storagemedium 524 on which is stored one or more sets of instructions (e.g.,software 526) embodying any one or more of the methods or functionsdescribed herein, including those methods illustrated above.Instructions 526 may also reside, completely or at least partially,within main memory 506, static memory 508, or within processor 504during execution thereof by the computer system 500. Main memory 506 andprocessor 504 also may constitute tangible computer-readable storagemedia.

As shown in FIG. 6, telecommunication system 600 may include wirelesstransmit/receive units (WTRUs) 602, a RAN 604, a core network 606, apublic switched telephone network (PSTN) 608, the Internet 610, or othernetworks 612, though it will be appreciated that the disclosed examplescontemplate any number of WTRUs, base stations, networks, or networkelements. Each WTRU 602 may be any type of device configured to operateor communicate in a wireless environment. For example, a WTRU maycomprise drone 102, a mobile device, network device 300, or the like, orany combination thereof. By way of example, WTRUs 602 may be configuredto transmit or receive wireless signals and may include a UE, a mobilestation, a mobile device, a fixed or mobile subscriber unit, a pager, acellular telephone, a PDA, a smartphone, a laptop, a netbook, a personalcomputer, a wireless sensor, consumer electronics, or the like. WTRUs602 may be configured to transmit or receive wireless signals over anair interface 614.

Telecommunication system 600 may also include one or more base stations616. Each of base stations 616 may be any type of device configured towirelessly interface with at least one of the WTRUs 602 to facilitateaccess to one or more communication networks, such as core network 606,PTSN 608, Internet 610, or other networks 612. By way of example, basestations 616 may be a base transceiver station (BTS), a Node-B, an eNodeB, a Home Node B, a Home eNode B, a site controller, an access point(AP), a wireless router, or the like. While base stations 616 are eachdepicted as a single element, it will be appreciated that base stations616 may include any number of interconnected base stations or networkelements.

RAN 604 may include one or more base stations 616, along with othernetwork elements, such as a base station controller (BSC), a radionetwork controller (RNC), or relay nodes. One or more base stations 616may be configured to transmit or receive wireless signals within aparticular geographic region, which may be referred to as a cell. Thecell may further be divided into cell sectors. For example, the cellassociated with base station 616 may be divided into three sectors suchthat base station 616 may include three transceivers: one for eachsector of the cell. In another example, base station 616 may employmultiple-input multiple-output (MIMO) technology and, therefore, mayutilize multiple transceivers for each sector of the cell.

Base stations 616 may communicate with one or more of WTRUs 602 over airinterface 614, which may be any suitable wireless communication link(e.g., RF, microwave, infrared (IR), ultraviolet (UV), or visiblelight). Air interface 614 may be established using any suitable radioaccess technology (RAT).

More specifically, as noted above, telecommunication system 600 may be amultiple access system and may employ one or more channel accessschemes, such as CDMA, TDMA, FDMA, OFDMA, SC-FDMA, or the like. Forexample, base station 616 in RAN 604 and WTRUs 602 connected to RAN 604may implement a radio technology such as Universal MobileTelecommunications System (UMTS) Terrestrial Radio Access (UTRA) thatmay establish air interface 614 using wideband CDMA (WCDMA). WCDMA mayinclude communication protocols, such as High-Speed Packet Access (HSPA)or Evolved HSPA (HSPA+). HSPA may include High-Speed Downlink PacketAccess (HSDPA) or High-Speed Uplink Packet Access (HSUPA).

As another example base station 616 and WTRUs 602 that are connected toRAN 604 may implement a radio technology such as Evolved UMTSTerrestrial Radio Access (E-UTRA), which may establish air interface 614using LTE or LTE-Advanced (LTE-A).

Optionally base station 616 and WTRUs 602 connected to RAN 604 mayimplement radio technologies such as IEEE 602.16 (i.e., WorldwideInteroperability for Microwave Access (WiMAX)), CDMA2000, CDMA2000 1×,CDMA2000 EV-DO, Interim Standard 2000 (IS-2000), Interim Standard 95(IS-95), Interim Standard 856 (IS-856), GSM, Enhanced Data rates for GSMEvolution (EDGE), GSM EDGE (GERAN), or the like.

Base station 616 may be a wireless router, Home Node B, Home eNode B, oraccess point, for example, and may utilize any suitable RAT forfacilitating wireless connectivity in a localized area, such as a placeof business, a home, a vehicle, a campus, or the like. For example, basestation 616 and associated WTRUs 602 may implement a radio technologysuch as IEEE 602.11 to establish a wireless local area network (WLAN).As another example, base station 616 and associated WTRUs 602 mayimplement a radio technology such as IEEE 602.15 to establish a wirelesspersonal area network (WPAN). In yet another example, base station 616and associated WTRUs 602 may utilize a cellular-based RAT (e.g., WCDMA,CDMA2000, GSM, LTE, LTE-A, etc.) to establish a picocell or femtocell.As shown in FIG. 6, base station 616 may have a direct connection toInternet 610. Thus, base station 616 may not be required to accessInternet 610 via core network 606.

RAN 604 may be in communication with core network 606, which may be anytype of network configured to provide voice, data, applications, and/orvoice over internet protocol (VoIP) services to one or more WTRUs 602.For example, core network 606 may provide call control, billingservices, mobile location-based services, pre-paid calling, Internetconnectivity, video distribution or high-level security functions, suchas user authentication. Although not shown in FIG. 6, it will beappreciated that RAN 604 or core network 606 may be in direct orindirect communication with other RANs that employ the same RAT as RAN604 or a different RAT. For example, in addition to being connected toRAN 604, which may be utilizing an E-UTRA radio technology, core network606 may also be in communication with another RAN employing a GSM radiotechnology.

Core network 606 may also serve as a gateway for WTRUs 602 to accessPSTN 608, Internet 610, or other networks 612. PSTN 608 may includecircuit-switched telephone networks that provide plain old telephoneservice (POTS). For LTE core networks, core network 606 may use IMS core614 to provide access to PSTN 608. Internet 610 may include a globalsystem of interconnected computer networks or devices that use commoncommunication protocols, such as the transmission control protocol(TCP), user datagram protocol (UDP), or IP in the TCP/IP internetprotocol suite. Other networks 612 may include wired or wirelesscommunications networks owned or operated by other service providers.For example, other networks 612 may include another core networkconnected to one or more RANs, which may employ the same RAT as RAN 604or a different RAT.

Some or all WTRUs 602 in telecommunication system 600 may includemulti-mode capabilities. That is, WTRUs 602 may include multipletransceivers for communicating with different wireless networks overdifferent wireless links. For example, one or more WTRUs 602 may beconfigured to communicate with base station 616, which may employ acellular-based radio technology, and with base station 616, which mayemploy an IEEE 802 radio technology.

FIG. 7 is an example system 700 including RAN 604 and core network 606.As noted above, RAN 604 may employ an E-UTRA radio technology tocommunicate with WTRUs 602 over air interface 614. RAN 604 may also bein communication with core network 606.

RAN 604 may include any number of eNode-Bs 702 while remainingconsistent with the disclosed technology. One or more eNode-Bs 702 mayinclude one or more transceivers for communicating with the WTRUs 602over air interface 614. Optionally, eNode-Bs 702 may implement MIMOtechnology. Thus, one of eNode-Bs 702, for example, may use multipleantennas to transmit wireless signals to, or receive wireless signalsfrom, one of WTRUs 602.

Each of eNode-Bs 702 may be associated with a particular cell and may beconfigured to handle radio resource management decisions, handoverdecisions, scheduling of users in the uplink or downlink, or the like.As shown in FIG. 7 eNode-Bs 702 may communicate with one another over anX2 interface.

Core network 606 shown in FIG. 7 may include a mobility managementgateway or entity (MME) 704, a serving gateway 706, or a packet datanetwork (PDN) gateway 708. While each of the foregoing elements aredepicted as part of core network 606, it will be appreciated that anyone of these elements may be owned or operated by an entity other thanthe core network operator.

MME 704 may be connected to each of eNode-Bs 702 in RAN 604 via an S1interface and may serve as a control node. For example, MME 704 may beresponsible for authenticating users of WTRUs 602, bearer activation ordeactivation, selecting a particular serving gateway during an initialattach of WTRUs 602, or the like. MME 704 may also provide a controlplane function for switching between RAN 604 and other RANs that employother radio technologies, such as GSM or WCDMA.

Serving gateway 706 may be connected to each of eNode-Bs 702 in RAN 604via the S1 interface. Serving gateway 706 may generally route or forwarduser data packets to or from the WTRUs 602. Serving gateway 706 may alsoperform other functions, such as anchoring user planes duringinter-eNode B handovers, triggering paging when downlink data isavailable for WTRUs 602, managing or storing contexts of WTRUs 602, orthe like.

Serving gateway 706 may also be connected to PDN gateway 708, which mayprovide WTRUs 602 with access to packet-switched networks, such asInternet 610, to facilitate communications between WTRUs 602 andIP-enabled devices.

Core network 606 may facilitate communications with other networks. Forexample, core network 606 may provide WTRUs 602 with access tocircuit-switched networks, such as PSTN 608, such as through IMS core614, to facilitate communications between WTRUs 602 and traditionalland-line communications devices. In addition, core network 606 mayprovide the WTRUs 602 with access to other networks 612, which mayinclude other wired or wireless networks that are owned or operated byother service providers.

FIG. 8 depicts an overall block diagram of an example packet-basedmobile cellular network environment, such as a GPRS network as describedherein. In the example packet-based mobile cellular network environmentshown in FIG. 8, there are a plurality of base station subsystems (BSS)800 (only one is shown), each of which comprises a base stationcontroller (BSC) 802 serving a plurality of BTSs, such as BTSs 804, 806,808. BTSs 804, 806, 808 are the access points where users ofpacket-based mobile devices become connected to the wireless network. Inexample fashion, the packet traffic originating from mobile devices istransported via an over-the-air interface to BTS 808, and from BTS 808to BSC 802. Base station subsystems, such as BSS 800, are a part ofinternal frame relay network 810 that can include a service GPRS supportnodes (SGSN), such as SGSN 812 or SGSN 814. Each SGSN 812, 814 isconnected to an internal packet network 816 through which SGSN 812, 814can route data packets to or from a plurality of gateway GPRS supportnodes (GGSN) 818, 820, 822. As illustrated, SGSN 814 and GGSNs 818, 820,822 are part of internal packet network 816. GGSNs 818, 820, 822 mainlyprovide an interface to external IP networks such as PLMN 824, corporateintranets/internets 826, or Fixed-End System (FES) or the publicInternet 828. As illustrated, subscriber corporate network 826 may beconnected to GGSN 820 via a firewall 830. PLMN 824 may be connected toGGSN 820 via a border gateway router (BGR) 832. A Remote AuthenticationDial-In User Service (RADIUS) server 834 may be used for callerauthentication when a user calls corporate network 826.

Generally, there may be a several cell sizes in a network, referred toas macro, micro, pico, femto or umbrella cells. The coverage area ofeach cell is different in different environments. Macro cells can beregarded as cells in which the base station antenna is installed in amast or a building above average roof top level. Micro cells are cellswhose antenna height is under average roof top level. Micro cells aretypically used in urban areas. Pico cells are small cells having adiameter of a few dozen meters. Pico cells are used mainly indoors.Femto cells have the same size as pico cells, but a smaller transportcapacity. Femto cells are used indoors, in residential or small businessenvironments. On the other hand, umbrella cells are used to covershadowed regions of smaller cells and fill in gaps in coverage betweenthose cells.

FIG. 9 illustrates an architecture of a typical GPRS network 900 asdescribed herein. The architecture depicted in FIG. 9 may be segmentedinto four groups: users 902, RAN 904, core network 906, and interconnectnetwork 908. Users 902 comprise a plurality of end users, who each mayuse one or more devices 910. Note that device 910 is referred to as amobile subscriber (MS) in the description of network shown in FIG. 9. Inan example, device 910 comprises a communications device (e.g., mobiledevice 102, mobile positioning center 116, network device 300, any ofdetected devices 500, second device 508, access device 604, accessdevice 606, access device 608, access device 610 or the like, or anycombination thereof). Radio access network 904 comprises a plurality ofBSSs such as BSS 912, which includes a BTS 914 and a BSC 916. Corenetwork 906 may include a host of various network elements. Asillustrated in FIG. 9, core network 906 may comprise MSC 918, servicecontrol point (SCP) 920, gateway MSC (GMSC) 922, SGSN 924, home locationregister (HLR) 926, authentication center (AuC) 928, domain name system(DNS) server 930, and GGSN 932. Interconnect network 908 may alsocomprise a host of various networks or other network elements. Asillustrated in FIG. 9, interconnect network 908 comprises a PSTN 934, anFES/Internet 936, a firewall 1038 (FIG. 10), or a corporate network 940.

An MSC can be connected to a large number of BSCs. At MSC 918, forinstance, depending on the type of traffic, the traffic may be separatedin that voice may be sent to PSTN 934 through GMSC 922, or data may besent to SGSN 924, which then sends the data traffic to GGSN 932 forfurther forwarding.

When MSC 918 receives call traffic, for example, from BSC 916, it sendsa query to a database hosted by SCP 920, which processes the request andissues a response to MSC 918 so that it may continue call processing asappropriate.

HLR 926 is a centralized database for users to register to the GPRSnetwork. HLR 926 stores static information about the subscribers such asthe International Mobile Subscriber Identity (IMSI), subscribedservices, or a key for authenticating the subscriber. HLR 926 alsostores dynamic subscriber information such as the current location ofthe MS. Associated with HLR 926 is AuC 928, which is a database thatcontains the algorithms for authenticating subscribers and includes theassociated keys for encryption to safeguard the user input forauthentication.

In the following, depending on context, “mobile subscriber” or “MS”sometimes refers to the end user and sometimes to the actual portabledevice, such as a mobile device, used by an end user of the mobilecellular service. When a mobile subscriber turns on his or her mobiledevice, the mobile device goes through an attach process by which themobile device attaches to an SGSN of the GPRS network. In FIG. 9, whenMS 910 initiates the attach process by turning on the networkcapabilities of the mobile device, an attach request is sent by MS 910to SGSN 924. The SGSN 924 queries another SGSN, to which MS 910 wasattached before, for the identity of MS 910. Upon receiving the identityof MS 910 from the other SGSN, SGSN 924 requests more information fromMS 910. This information is used to authenticate MS 910 together withthe information provided by HLR 926. Once verified, SGSN 924 sends alocation update to HLR 926 indicating the change of location to a newSGSN, in this case SGSN 924. HLR 926 notifies the old SGSN, to which MS910 was attached before, to cancel the location process for MS 910. HLR926 then notifies SGSN 924 that the location update has been performed.At this time, SGSN 924 sends an Attach Accept message to MS 910, whichin turn sends an Attach Complete message to SGSN 924.

Next, MS 910 establishes a user session with the destination network,corporate network 940, by going through a Packet Data Protocol (PDP)activation process. Briefly, in the process, MS 910 requests access tothe Access Point Name (APN), for example, UPS.com, and SGSN 924 receivesthe activation request from MS 910. SGSN 924 then initiates a DNS queryto learn which GGSN 932 has access to the UPS.com APN. The DNS query issent to a DNS server within core network 906, such as DNS server 930,which is provisioned to map to one or more GGSNs in core network 906.Based on the APN, the mapped GGSN 932 can access requested corporatenetwork 940. SGSN 924 then sends to GGSN 932 a Create PDP ContextRequest message that contains necessary information. GGSN 932 sends aCreate PDP Context Response message to SGSN 924, which then sends anActivate PDP Context Accept message to MS 910.

Once activated, data packets of the call made by MS 910 can then gothrough RAN 904, core network 906, and interconnect network 908, in aparticular FES/Internet 936 and firewall 1038, to reach corporatenetwork 940.

FIG. 10 illustrates a block diagram of an example PLMN architecture thatmay be replaced by a telecommunications system. In FIG. 10, solid linesmay represent user traffic signals, and dashed lines may representsupport signaling. MS 1002 is the physical equipment used by the PLMNsubscriber. For example, drone 102, network device 300, the like, or anycombination thereof may serve as MS 1002. MS 1002 may be one of, but notlimited to, a cellular telephone, a cellular telephone in combinationwith another electronic device or any other wireless mobilecommunication device.

MS 1002 may communicate wirelessly with BSS 1004. BSS 1004 contains BSC1006 and a BTS 1008. BSS 1004 may include a single BSC 1006/BTS 1008pair (base station) or a system of BSC/BTS pairs that are part of alarger network. BSS 1004 is responsible for communicating with MS 1002and may support one or more cells. BSS 1004 is responsible for handlingcellular traffic and signaling between MS 1002 and a core network 1010.Typically, BSS 1004 performs functions that include, but are not limitedto, digital conversion of speech channels, allocation of channels tomobile devices, paging, or transmission/reception of cellular signals.

Additionally, MS 1002 may communicate wirelessly with RNS 1012. RNS 1012contains a Radio Network Controller (RNC) 1014 and one or more Nodes B1016. RNS 1012 may support one or more cells. RNS 1012 may also includeone or more RNC 1014/Node B 1016 pairs or alternatively a single RNC1014 may manage multiple Nodes B 1016. RNS 1012 is responsible forcommunicating with MS 1002 in its geographically defined area. RNC 1014is responsible for controlling Nodes B 1016 that are connected to it andis a control element in a UMTS radio access network. RNC 1014 performsfunctions such as, but not limited to, load control, packet scheduling,handover control, security functions, or controlling MS 1002 access tocore network 1010.

An E-UTRA Network (E-UTRAN) 1018 is a RAN that provides wireless datacommunications for MS 1002 and UE 1024. E-UTRAN 1018 provides higherdata rates than traditional UMTS. It is part of the LTE upgrade formobile networks, and later releases meet the requirements of theInternational Mobile Telecommunications (IMT) Advanced and are commonlyknown as a 4G networks. E-UTRAN 1018 may include of series of logicalnetwork components such as E-UTRAN Node B (eNB) 1020 and E-UTRAN Node B(eNB) 1022. E-UTRAN 1018 may contain one or more eNBs. User equipment(UE) 1024 may be any mobile device capable of connecting to E-UTRAN 1018including, but not limited to, a personal computer, laptop, mobiledevice, wireless router, or other device capable of wirelessconnectivity to E-UTRAN 1018. The improved performance of the E-UTRAN1018 relative to a typical UMTS network allows for increased bandwidth,spectral efficiency, and functionality including, but not limited to,voice, high-speed applications, large data transfer or IPTV, while stillallowing for full mobility.

Typically MS 1002 may communicate with any or all of BSS 1004, RNS 1012,or E-UTRAN 1018. In a illustrative system, each of BSS 1004, RNS 1012,and E-UTRAN 1018 may provide MS 1002 with access to core network 1010.Core network 1010 may include of a series of devices that route data andcommunications between end users. Core network 1010 may provide networkservice functions to users in the circuit switched (CS) domain or thepacket switched (PS) domain. The CS domain refers to connections inwhich dedicated network resources are allocated at the time ofconnection establishment and then released when the connection isterminated. The PS domain refers to communications and data transfersthat make use of autonomous groupings of bits called packets. Eachpacket may be routed, manipulated, processed or handled independently ofall other packets in the PS domain and does not require dedicatednetwork resources.

The circuit-switched MGW function (CS-MGW) 1026 is part of core network1010, and interacts with VLR/MSC server 1028 and GMSC server 1030 inorder to facilitate core network 1010 resource control in the CS domain.Functions of CS-MGW 1026 include, but are not limited to, mediaconversion, bearer control, payload processing or other mobile networkprocessing such as handover or anchoring. CS-MGW 1026 may receiveconnections to MS 1002 through BSS 1004 or RNS 1012.

SGSN 1032 stores subscriber data regarding MS 1002 in order tofacilitate network functionality. SGSN 1032 may store subscriptioninformation such as, but not limited to, the IMSI, temporary identities,or PDP addresses. SGSN 1032 may also store location information such as,but not limited to, GGSN address for each GGSN 1034 where an active PDPexists. GGSN 1034 may implement a location register function to storesubscriber data it receives from SGSN 1032 such as subscription orlocation information.

Serving gateway (S-GW) 1036 is an interface which provides connectivitybetween E-UTRAN 1018 and core network 1010. Functions of S-GW 1036include, but are not limited to, packet routing, packet forwarding,transport level packet processing, or user plane mobility anchoring forinter-network mobility. PCRF 1038 uses information gathered from P-GW1036, as well as other sources, to make applicable policy and chargingdecisions related to data flows, network resources or other networkadministration functions. PDN gateway (PDN-GW) 1040 may provideuser-to-services connectivity functionality including, but not limitedto, GPRS/EPC network anchoring, bearer session anchoring and control, orIP address allocation for PS domain connections.

HSS 1042 is a database for user information and stores subscription dataregarding MS 1002 or UE 1024 for handling calls or data sessions.Networks may contain one HSS 1042 or more if additional resources arerequired. Example data stored by HSS 1042 include, but is not limitedto, user identification, numbering or addressing information, securityinformation, or location information. HSS 1042 may also provide call orsession establishment procedures in both the PS and CS domains.

VLR/MSC Server 1028 provides user location functionality. When MS 1002enters a new network location, it begins a registration procedure. A MSCserver for that location transfers the location information to the VLRfor the area. A VLR and MSC server may be located in the same computingenvironment, as is shown by VLR/MSC server 1028, or alternatively may belocated in separate computing environments. A VLR may contain, but isnot limited to, user information such as the IMSI, the Temporary MobileStation Identity (TMSI), the Local Mobile Station Identity (LMSI), thelast known location of the mobile station, or the SGSN where the mobilestation was previously registered. The MSC server may containinformation such as, but not limited to, procedures for MS 1002registration or procedures for handover of MS 1002 to a differentsection of core network 1010. GMSC server 1030 may serve as a connectionto alternate GMSC servers for other MSs in larger networks.

EIR 1044 is a logical element which may store the IMEI for MS 1002. Userequipment may be classified as either “white listed” or “black listed”depending on its status in the network. If MS 1002 is stolen and put touse by an unauthorized user, it may be registered as “black listed” inEIR 1044, preventing its use on the network. A MME 1046 is a controlnode which may track MS 1002 or UE 1024 if the devices are idle.Additional functionality may include the ability of MME 1046 to contactidle MS 1002 or UE 1024 if retransmission of a previous session isrequired.

As described herein, a telecommunications system wherein management andcontrol utilizing a software designed network (SDN) and a simple IP arebased, at least in part, on user equipment, may provide a wirelessmanagement and control framework that enables common wireless managementand control, such as mobility management, radio resource management,QoS, load balancing, etc., across many wireless technologies, e.g. LTE,Wi-Fi, and future 5G access technologies; decoupling the mobilitycontrol from data planes to let them evolve and scale independently;reducing network state maintained in the network based on user equipmenttypes to reduce network cost and allow massive scale; shortening cycletime and improving network upgradability; flexibility in creatingend-to-end services based on types of user equipment and applications,thus improve customer experience; or improving user equipment powerefficiency and battery life—especially for simple M2M devices—throughenhanced wireless management.

While examples of a telecommunications system in which emergency alertscan be processed and managed have been described in connection withvarious computing devices/processors, the underlying concepts may beapplied to any computing device, processor, or system capable offacilitating a telecommunications system. The various techniquesdescribed herein may be implemented in connection with hardware orsoftware or, where appropriate, with a combination of both. Thus, themethods and devices may take the form of program code (i.e.,instructions) embodied in concrete, tangible, storage media having aconcrete, tangible, physical structure. Examples of tangible storagemedia include floppy diskettes, CD-ROMs, DVDs, hard drives, or any othertangible machine-readable storage medium (computer-readable storagemedium). Thus, a computer-readable storage medium is not a signal. Acomputer-readable storage medium is not a transient signal. Further, acomputer-readable storage medium is not a propagating signal. Acomputer-readable storage medium as described herein is an article ofmanufacture. When the program code is loaded into and executed by amachine, such as a computer, the machine becomes an device fortelecommunications. In the case of program code execution onprogrammable computers, the computing device will generally include aprocessor, a storage medium readable by the processor (includingvolatile or nonvolatile memory or storage elements), at least one inputdevice, and at least one output device. The program(s) can beimplemented in assembly or machine language, if desired. The languagecan be a compiled or interpreted language, and may be combined withhardware implementations.

The methods and devices associated with a telecommunications system asdescribed herein also may be practiced via communications embodied inthe form of program code that is transmitted over some transmissionmedium, such as over electrical wiring or cabling, through fiber optics,or via any other form of transmission, wherein, when the program code isreceived and loaded into and executed by a machine, such as an EPROM, agate array, a programmable logic device (PLD), a client computer, or thelike, the machine becomes an device for implementing telecommunicationsas described herein. When implemented on a general-purpose processor,the program code combines with the processor to provide a unique devicethat operates to invoke the functionality of a telecommunicationssystem.

EXAMPLES Example 1

An on-demand virtual security system between a client and a server incommunication with a network, the system comprising: an orchestrator,wherein upon receiving a service request from at least one of the clientand the server, the orchestrator instantiates a security virtualfunction within the network and supplies the security virtual functionwith at least one connectivity policy, and wherein the security virtualfunction applies the at least one connectivity policy to approve ordisapprove a connection between the client and the server and whereinupon the security virtual function approving the connection between theclient and the server, a orchestrator establishes a data session; andwherein after the data session has concluded, the orchestratorterminates the security virtual function.

Example 2

The system of example 1 further comprising a single packet authorizationvirtual function in communication with the orchestrator, wherein theservice request is transmitted to the single packet authorizationvirtual function for confirmation before the orchestrator instantiatesthe security virtual function.

Example 3

The system of example 1 further comprising a service function forwarder,an ingress service classifier and an egress service classifier; theservice function forwarder being in communication with the orchestratorand each of the ingress service classifier and the egress serviceclassifier; wherein upon the security virtual function approving theconnection, the orchestrator updates the service function forwarder andin turn the ingress service classifier and the egress service classifierto establish the data session.

Example 4

The system of example 1 further comprising an access router and anaggregation router in communication with the orchestrator, wherein theservice request is transmitted from the access router to theorchestrator; and wherein the security virtual function is locateddownstream of the access router and upstream of the aggregation router,and wherein the data session is established by connecting the accessrouter to the aggregation router.

Example 5

The system of example 4 further comprising a service function forwarderin communication with the access router, the security virtual functionand the aggregation router, wherein the service function forwarderroutes data from the access router and the aggregation router throughthe security virtual function; and wherein the security virtual functionapplies the at least one connectivity policy to act as a virtualfirewall.

Example 6

The system of example 5 further comprising a first service classifier incommunication with the access router and a second service classifier incommunication with the aggregation router, the first service classifierand the second service classifier being in communication with theservice function forwarder; wherein the data from at least one of theaccess router and the aggregation router is sent to the service functionforwarder by at least one of the first service classifier and the secondservice classifier.

Example 7

The system of example 1, wherein the service request includes a singlepacket authorization data.

Example 8

The system of example 1, wherein the orchestrator resides within asoftware defined network.

Example 9

The system of example 1 further comprising an access router and anaggregation router defining a perimeter of the network, wherein securityvirtual function selectively connects the access router to theaggregation router.

Example 10

The system of example 1, wherein the security virtual function operatesas a virtual firewall between the client and the server during the datasession.

Example 11

A network device comprising a processor, an input/output device coupledto the processor, and a memory coupled with the processor, the memorycomprising executable instructions that when executed by the processorcause the processor to effectuate operations comprising: instantiating asecurity virtual function in response to a request for one of a networksession and a virtual network function; the security virtual functionconfigured to apply at least one connection policy to allow or denytraffic in a data session; and after the data session, the securityvirtual function is terminated.

Example 12

The network device of example 1, wherein the operations further includedefining an orchestrator in communication with a service functionforwarder; and wherein upon the security virtual function applying theat least one connection policy to allow traffic, the orchestratorproviding an instruction to update the service function forwarder topermit the traffic in the data session.

Example 13

The network device of example 12 further comprising the service functionforwarder in communication with a first service classifier and a secondservice classifier, wherein upon receiving the orchestrator updating theservice function forwarder, the service function forwarder forwards theinstruction to at least one of the first service classifier and thesecond service classifier.

Example 14

The network device of example 11, wherein the request includes a singlepacket authorization request.

Example 15

The network device of example 14 wherein the operations includeclassifying the single packet authorization request at a first serviceclassifier, routing the request via a service function forwarder to asingle packet authorization service function for validation, and whereinthe step of instantiating occurs after validation of the single packetauthorization request.

Example 16

The network device of example 15, wherein the security functioncommunicates with the service function forwarder to apply the at leastone connection policy to allow or deny traffic between the first serviceclassifier and the second service classifier.

Example 17

The network device of example 16, wherein the first service classifieris in communication with a client and the second service classifier isin communication with a server.

Example 18

The network device of example 17, wherein the client communicates withthe first service classifier via an access router.

Example 19

The network device of example 17, wherein the server communicates withthe second service classifier via an aggregation router.

The invention claimed is:
 1. An on-demand virtual security systembetween a client and a server in communication with a network, thesystem comprising: a processor; an orchestrator coupled with theprocessor; and a memory coupled with the processor, the memory storingexecutable instructions that when executed by the processor cause theprocessor to effectuate operations comprising: receiving a servicerequest from at least one of the client and the server; in response toreceiving the service request, instantiating, by the orchestrator, asecurity virtual function within the network and supplying the securityvirtual function with at least one connectivity policy; applying, by thesecurity virtual function, the at least one connectivity policy toapprove or disapprove a connection between the client and the server; inresponse to the security virtual function approving the connectionbetween the client and the server, establishing a data session via theorchestrator; and in response to the data session concluding,terminating the security virtual function via the orchestrator; and anaccess router and an aggregation router in communication with theorchestrator, wherein the service request is transmitted from the accessrouter to the orchestrator; and wherein the security virtual function islocated downstream of the access router and upstream of the aggregationrouter, and wherein the data session is established by connecting theaccess router to the aggregation router.
 2. The system of claim 1further comprising a single packet authorization virtual function incommunication with the orchestrator, wherein the service request istransmitted to the single packet authorization virtual function forconfirmation before the orchestrator instantiates the security virtualfunction.
 3. The system of claim 1 further comprising a service functionforwarder, an ingress service classifier and an egress serviceclassifier; the service function forwarder being in communication withthe orchestrator and each of the ingress service classifier and theegress service classifier; wherein upon the security virtual functionapproving the connection, the orchestrator updates the service functionforwarder and in turn the ingress service classifier and the egressservice classifier to establish the data session.
 4. The system of claim1 further comprising a service function forwarder in communication withthe access router, the security virtual function and the aggregationrouter, wherein the service function forwarder routes data from theaccess router and the aggregation router through the security virtualfunction; and wherein the security virtual function applies the at leastone connectivity policy to act as a virtual firewall.
 5. The system ofclaim 4 further comprising a first service classifier in communicationwith the access router and a second service classifier in communicationwith the aggregation router, the first service classifier and the secondservice classifier being in communication with the service functionforwarder; wherein the data from at least one of the access router andthe aggregation router is sent to the service function forwarder by atleast one of the first service classifier and the second serviceclassifier.
 6. The system of claim 1, wherein the service requestincludes a single packet authorization data.
 7. The system of claim 1,wherein the orchestrator resides within a software defined network. 8.The system of claim 1, wherein the an access router and an aggregationrouter define a perimeter of the network.
 9. The system of claim 1,wherein the security virtual function operates as a virtual firewallbetween the client and the server during the data session.
 10. Thesystem of claim 1, wherein the security virtual function is provisionedfor a time period associated with the data session.
 11. The system ofclaim 1, wherein the service request includes a single packetauthorization request and wherein the operations further includeproviding a control plane report to the orchestrator in response to asuccessful fulfillment of the single packet authorization request.
 12. Anetwork device comprising: a processor; an input/output device coupledwith the processor; and a memory coupled with the processor, the memorycomprising executable instructions that when executed by the processorcause the processor to effectuate operations comprising: receiving arequest for one of a network session and a virtual network function,wherein the request includes a single packet authorization request;classifying the single packet authorization request at a first serviceclassifier; routing the request, via a service function forwarder, to asingle packet authorization service function for validation;instantiating a security virtual function in response to the request,wherein instantiating the security virtual function occurs aftervalidation of the single packet authorization request; configuring thesecurity virtual function to apply at least one connection policy toallow or deny traffic in a data session; and in response to allowing thedata session, terminating the security virtual function after the datasession has concluded.
 13. The network device of claim 12, wherein theoperations further include defining an orchestrator in communicationwith the service function forwarder; and wherein upon the securityvirtual function applying the at least one connection policy to allowtraffic, the orchestrator providing an instruction to update the servicefunction forwarder to permit the traffic in the data session.
 14. Thenetwork device of claim 13 further comprising the service functionforwarder in communication with the first service classifier and asecond service classifier, wherein upon receiving the orchestratorupdating the service function forwarder, the service function forwarderforwards the instruction to at least one of the first service classifierand the second service classifier.
 15. The network device of claim 12,wherein the security virtual function communicates with the servicefunction forwarder to apply the at least one connection policy to allowor deny traffic between the first service classifier and a secondservice classifier.
 16. The network device of claim 15, wherein thefirst service classifier is in communication with a client and thesecond service classifier is in communication with a server.
 17. Thenetwork device of claim 16, wherein the client communicates with thefirst service classifier via an access router.
 18. The network device ofclaim 16, wherein the server communicates with the second serviceclassifier via an aggregation router.